feat: k3s role

collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/agent.yml

@@ -0,0 +1,18 @@
+---
+# TODO: implement
+# TODO: disable swap
+
+- name: operation not supported
+  ansible.builtin.debug:
+    msg: Operation currently not supported
+  failed_when: true
+
+- name: setup firewall rules
+  become: true
+  ansible.builtin.template:
+    src: ../templates/nftables.d/k3s_agents.nft.j2
+    dest: /etc/nftables.d/k3s_agents.nft
+    mode: '0600'
+  notify:
+    - 'k3s : restart firewall service'
+    - 'k3s : restart k3s service'

collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/main.yml

@@ -0,0 +1,92 @@
+---
+- name: gather facts if not already done
+  ansible.builtin.setup:
+    gather_subset:
+      - user_id
+
+- name: group by cluster name
+  ansible.builtin.group_by:
+    key: "k3s_clusters_{{ k3s_cluster_name }}_{{ k3s_cluster_role }}"
+  changed_when: false
+
+- name: determine cluster type and members
+  ansible.builtin.set_fact:
+    k3s_cluster_type: "{{ 'ha' if groups['k3s_clusters_' ~ k3s_cluster_name ~ '_' ~ k3s_cluster_role] | length > 1 else 'single' }}"
+    k3s_cluster_servers: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_server'] }}"
+    k3s_cluster_agents: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_agent'] | default([]) }}"
+    k3s_nft_servers4: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_server'] | default([]) | map('extract', hostvars, ['k3s_cluster_ip']) | ansible.utils.ipv4 }}"
+    k3s_nft_agents4: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_agent'] | default([]) | map('extract', hostvars, ['k3s_cluster_ip']) | ansible.utils.ipv4 }}"
+    k3s_nft_servers6: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_server'] | default([]) | map('extract', hostvars, ['k3s_cluster_ip']) | ansible.utils.ipv6 }}"
+    k3s_nft_agents6: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_agent'] | default([]) | map('extract', hostvars, ['k3s_cluster_ip']) | ansible.utils.ipv6 }}"
+    k3s_nft_operators4: "{{ k3s_operator_ips | ansible.utils.ipv4 }}"
+    k3s_nft_operators6: "{{ k3s_operator_ips | ansible.utils.ipv6 }}"
+  changed_when: false
+
+- name: get local controller account information
+  connection: local
+  ansible.builtin.getent:
+    database: passwd
+    key: "{{ ansible_facts.user_id }}"
+    split: ":"
+  changed_when: false
+  when: ansible_facts['getent_passwd'] is undefined or ansible_facts['user_id'] not in ansible_facts['getent_passwd']
+
+- name: set controller environment variables
+  ansible.builtin.set_fact:
+    controller_user_home: "{{ ansible_facts['getent_passwd'][ansible_facts['user_id']][4] }}"
+    k3sup_binary: "{{ ansible_facts['getent_passwd'][ansible_facts['user_id']][4] }}/.local/bin/k3sup"
+    kubeconfig_repository: "{{ ansible_facts['getent_passwd'][ansible_facts['user_id']][4] }}/.kubeconfig_repository"
+  changed_when: false
+
+- name: retrieve k3sup on Ansible controller
+  connection: local
+  nullified.infrastructure.github_artifact:
+    asset_name: k3sup
+    asset_type: release
+    repository: alexellis/k3sup
+    creates: '{{ k3sup_binary }}'
+    cmds:
+      - mkdir -p $HOME/.local/bin
+      - "install --mode=750 {asset_dirname}/{asset_filename} {{ k3sup_binary }}"
+
+- name: setup kubeconfig repository
+  connection: local
+  ansible.builtin.file:
+    path: "{{ kubeconfig_repository }}"
+    state: directory
+    mode: '0700'
+
+- name: setup permissions
+  become: true
+  block:
+    - name: install sudo
+      ansible.builtin.apt:
+        update_cache: true
+        force_apt_get: true
+        cache_valid_time: 3600
+        pkg: [ sudo ]
+        state: present
+    - name: add operator to sudoers
+      ansible.builtin.lineinfile:
+        backup: true
+        path: /etc/sudoers
+        regexp: "^{{ k3s_operator_username }}\b.+$"
+        line: "{{ k3s_operator_username }} ALL=(ALL) NOPASSWD: ALL"
+        state: present
+      register: backup_sudoers
+      changed_when: false
+
+- name: setup server role
+  include_tasks: server.yml
+  when: k3s_cluster_role is match("server")
+- name: setup agent role
+  include_tasks: agent.yml
+  when: k3s_cluster_role is match("agent")
+
+- name: reset permissions
+  become: true
+  command:
+    cmd: "mv {{ backup_sudoers.backup }} /etc/sudoers"
+    removes: "{{ backup_sudoers.backup }}"
+  when: backup_sudoers.backup
+  changed_when: false

collections/ansible_collections/nullified/infrastructure/roles/k3s/tasks/server.yml

@@ -0,0 +1,44 @@
+---
+# TODO: disable swap
+
+- name: setup firewall rules
+  become: true
+  ansible.builtin.template:
+    src: ../templates/nftables.d/k3s_servers.nft.j2
+    dest: /etc/nftables.d/k3s_servers.nft
+    mode: '0600'
+  notify:
+    - 'k3s : restart firewall service'
+    - 'k3s : restart k3s service'
+
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: install K3S cluster, single server
+  connection: local
+  ansible.builtin.command:
+    argv:
+      - "{{ k3sup_binary }}"
+      - install
+      - "--merge"
+      - "--local-path"
+      - "{{ kubeconfig_repository }}/{{ k3s_cluster_name }}.kubeconfig"
+      - "--context"
+      - "{{ k3s_kube_context }}"
+      - "--k3s-extra-args"
+      - "{{ k3s_extra_args }}"
+      - "--user"
+      - "{{ k3s_operator_username }}"
+      - "--ssh-key"
+      - "{{ k3s_operator_ssh_key_path }}"
+      - "--host"
+      - "{{ inventory_hostname }}.{{ global_dns_domainname }}"
+  register: k3s_init
+  when: k3s_cluster_type is match("single")
+  changed_when: not "No change detected so skipping service start" in k3s_init.stdout
+
+- name: install K3S cluster, HA
+  connection: local
+  debug: msg="Not supported yet"
+  when: k3s_cluster_type is match("ha")
+  failed_when: true